Land mobile radio (LMR) systems are just as vulnerable to cyberattacks as any other networks used in the public-safety sector. Here’s what to do about it.
There was a time, not very long ago, when public-safety agencies and other public-sector organizations didn’t seem to fully appreciate the significant threat that cyberattacks pose to their operations and ability to fulfill their missions. But that began to change over the last couple of years, thanks to a spate of high-profile incidents.
One occurred in May 2023, when the city of Dallas suffered a ransomware attack. Ransomware is a type of malware that encrypts computer files in a manner that makes them worthless to the owner organization. The only way to decrypt the files is to pay a ransom to the cyberattacker, hence the name for this type of attack.
The Dallas incident affected numerous city servers and caused several noteworthy service interruptions, including knocking offline the police and fire department websites. The attack also affected the police department’s computer-aided dispatch (CAD) system; fortunately a backup system quickly was turned up, so emergency response was unaffected, according to news reports.
But even with cybersecurity now landing on the radar screens of the public-safety sector, it is safe to state that agencies are thinking primarily about their data networks—for example, CAD, geographic information systems (GIS), records management systems (RMS)—and not about their land-mobile-radio (LMR) systems, particularly those that comply with the Project 25 (P25) digital radio standards.
Overlooking these threats to LMR systems is a mistake. This article explains why and, more importantly, offers actionable strategies and tactics for correcting it.
The Challenges
In the past, analog and digital LMR systems have been isolated, standalone, self-contained, and not connected to the Internet, which generally means that no pathway existed for cyberattackers to infiltrate them.
Of course, that’s not to say that the potential for mischief with serious consequences didn’t exist. For example, anyone armed with an inexpensive two-way radio—easily purchased for about $30 from Amazon—a public-safety agency’s radio frequencies and private-line (PL) tones—easily found on the Radio Reference website—and a little know-how can talk on an LMR system channel to disrupt voice communications, which makes emergency response more difficult and dangerous.
This also can be done on P25 systems but is less likely, because of access-control limitations and more frequencies in use that would require disruption.
But that’s not how cyberattackers think. They’re not interested in nuisance attacks as much as they want to worm their way into networks and systems with the objective of accessing data files that they can encrypt, primarily for profit but also to disrupt operations on a much larger scale.
Fortunately for anyone wishing to target an LMR system, a plethora of vulnerabilities exist that increase the risk profile exponentially. This is true even for P25 systems, despite the existence of certain protections that are baked into the standard, such as encryption, use of multiple frequencies, and a feature called “radio inhibit,” which enables system managers to identify a rogue radio and essentially turn it into a brick.
More often than not, cyberattackers are not local criminals looking to intentionally disrupt communications to allow them to carry out nefarious activities without police intervention. Rather, they are primarily overseers seeking many opportunities to infiltrate networks that will inflict as much pain as possible to their operators, so they can collect a larger ransom. The vulnerabilities that exist within LMR systems typically result from poor cybersecurity hygiene, meaning that ineffective system-management policies inadvertently could allow cyberattackers to bypass the system’s security measures, which often exist only at the edges of the network.
Some of the most common cybersecurity vulnerabilities for LMR systems are listed below.
Lack of physical controls: Often, public-safety agencies share a facility with one or more municipal or county agencies—for example, the animal-control department—that are public-facing entities. Anyone visiting animal control — and many do every day, perhaps to check on a lost pet or to rescue one — could wander off undetected and enter the public-safety equipment room, if strong access controls are lacking.
Once inside, they could plug a universal service bus (USB) device into any port in the LMR system’s routers and/or servers to deliver a ransomware payload.
Speaking of ports, they’re often inadvertently left open by vendors in the aftermath of routine maintenance, which creates potential breach points. In fact, it is common for vendors to leave ports open when they finish maintenance work. When that happens, cyberattackers are presented with an entry point into the network or system. Once inside, cyberattackers navigate laterally in search of other vulnerabilities that can be exploited—often for months at a time.
Lack of access controls: A corollary vulnerability concerns access controls, such as strong passwords/passphrases, multifactor authentication (MFA), biometric scanners, and smart tokens that change access codes every few seconds.
Such controls should be applied to every location that houses LMR system equipment and to every device that operates on the system. Without robust access controls, all someone needs to get into a network or system is a username and password—and cyberattackers employ sophisticated algorithms to crack the code. As a result, the cybersecurity risk jumps quite a bit.
Lack of strong device policies: It is common for LMR systems to be interconnected with 911 dispatch consoles used by telecommunicators in an emergency communications center (ECC). Some agencies have strong policies governing the types of devices that can be plugged into such consoles, but many do not. In the latter case, a telecommunicator could plug a smartphone, MP3 player, or other device into their console and—if the device has been compromised with malware—the 911 and LMR systems could be compromised.
Lack of cybersecurity training: When cybersecurity training is lacking, personnel are more prone to being victimized by phishing and spoofing activities or to doing something reckless, like inserting unauthorized devices into system-connected devices. All of these unwanted situations place every network and system operated by the public-safety agency–including an LMR system—at greater risk of a cyberattack.
Lack of tracking for individuals with system access: In today’s environment, many individuals across an agency or its LMR vendor have remote access to the system’s management functions. It is common practice for usernames and passwords to be shared across many individuals, making it nearly impossible to track who exactly is accessing the system at any given time, and to revoke access when an individual leaves the organization.
The more individuals that have access to the system, the more likely that access credentials can fall into the wrong hands.
Shelters in remote locations: An LMR system is designed to provide wireless communications over a very wide area, and it employ numerous tower sites—often a dozen or more. Each tower site is accompanied by a shelter that houses equipment enabling the system to perform, such as base stations, repeaters, routers, and servers.
Shelters often are in remote locations, and those locations often are not secured properly with solutions like fencing and camera systems. In such circumstances, the LMR systems are highly vulnerable to intrusion by a cyberattacker who—with very little fear of being interrupted—could plug USB devices containing malware into any piece of equipment in the shelter with potentially disastrous consequences.
Shelters with many tenants: It is not unusual for several municipal or county agencies to share equipment shelters. This means that maintenance personnel other than those employed by the public-safety agency will have access to the LMR system equipment, making it easy to launch a cyberattack.
The “Don’t look behind the curtain” game: LMR system vendors typically tell public-safety agencies not to worry about cybersecurity, because that’s their job—and to trust that the vendor will do this vitally important job effectively. But this approach keeps agencies in the dark regarding how systems function and what threats might be lurking.
This is a bad position for agencies, and it is compounded by the fact that vendors generally do this job poorly. A corollary factor is that vendors charge a hefty fee for security and monitoring, and the agency has no way to validate whether it is occurring.
Cybersecurity resources spread too thin: Public-safety agencies often share IT and cybersecurity personnel with other municipal or county organizations, with the result being that such personnel have too much on their plates. This makes it exceedingly difficult for them to keep pace with constantly evolving threat vectors.
Use of IP-based backhaul: Arguably the greatest vulnerability is that the systems used by public-safety agencies to backhaul radio traffic from the tower(s) leverage Internet Protocol (IP), which has inherent security flaws. As a result, IP-based networks and systems are intrinsically vulnerable to cyberattacks.
The reality is that most public-safety agencies tend to think of their LMR systems in terms of radio frequencies and not IP, so they may fail to grasp the criticality of this vulnerability.
A corollary factor is that backhaul systems often are shared by public-safety agencies with other entities, each of which have their own vulnerabilities. The result is a dramatically diminished cybersecurity posture for all concerned.
As the reader can see, LMR systems, including P25 systems, have significant cybersecurity vulnerabilities. This is a significant problem, because a cyberattack—even if it lasted only a few minutes—would have a severe impact on emergency response.
During such a cyberattack, it would be extremely difficult—if not impossible—to dispatch law-enforcement, fire/rescue, and emergency-medical personnel. This limitation would place citizens and property at greater risk. Just as egregious, responders would be unable to communicate with each other, with incident command, or with 911 telecommunicators, which would severely diminish situational awareness.
What to Do
Fortunately, numerous strategies and tactics exist for reducing the severity of these vulnerabilities, if not eliminating them altogether. Some of the most important are highlighted below.
Implement robust endpoint protection: LMR system endpoints—base stations, repeaters, routers, and servers—are particularly troubling, because they represent a portal into the system core.
Unlike traditional signature-based antivirus offerings, endpoint protection solutions use artificial intelligence (AI) and machine-learning (ML) models to detect zero-day malware, such as malicious software that cannot be detected and/or cannot be mitigated by legacy antivirus signatures.
These solutions generally are backed by a security operations center (SOC) that continuously monitors for threats and provides alerts when suspicious activities are identified.
Unlike legacy antivirus software, the AI and ML models hunt for certain behaviors, as opposed to specific files or signatures. When they find one that appears malicious, the SOC immediately responds by quarantining the affected network or system and/or removing the malware from the affected endpoint, effectively stopping the attack in its tracks.
Implement access controls: These take many forms. One of the most important and easiest to accomplish is instituting strong password/passphrase management. Passwords should be at least 12 characters long and contain some combination of uppercase and lowercase letters, numbers, and symbols.
Of course, sufficiently complex passwords often are difficult to memorize, so many organizations are moving toward passphrases, e.g., “IHateCyberattack$2023!!!” Regardless of the path taken, passwords and passphrases should be refreshed on a regular basis—at least once per quarter.
Leverage multifactor authentication: A strong password/passphrase management system should be coupled with multifactor authentication, which involves asking the employee a question related to one of the following before they are allowed to access the network or system:
- Something you are—an example would be biometrics, e.g., a retinal or fingerprint scan;
- Something you know—an example would be a challenge question, e.g., the hospital where you were born or the make and model of your first car; and/or
- Something you have—an example would be a token that changes an authentication code every few seconds.
Strong passwords/passphrases, coupled with multifactor authentication, provide a very effective barrier for preventing cyberattacks.
Improve physical security: This is the lowest-hanging fruit. Ensure that unauthorized personnel are unable to wander through the facility, make sure that equipment room doors always are locked and accessible only through passwords/multifactor authentication, and consider installing a video-surveillance system for the facility and shelters.
Regarding shelters, implement access controls and an alarm system that will be triggered by unauthorized entry. Ensure that ports are closed after maintenance activities, including on the radios themselves — this is another piece of low-hanging fruit.
Employ change-management tactics: Insist that the vendor changes the usernames and passwords used for your system to something unique. Vendors often use conventional formats that are guessed easily by cyberattackers, especially if they use algorithms to crack the code.
Don’t trust; instead, verify: This arguably is the most important tactic. It is essential that agencies perform their own monitoring—do not take the vendor’s word on anything pertaining to cybersecurity. Ideally, contract with an independent third-party in this regard; such an entity will have more robust cybersecurity expertise and can serve as the agency’s advocate to hold vendors accountable.
This advice is offered by the National Institute of Standards and Technology (NIST) in its cybersecurity framework:[1]
Employ independent assessors or assessment teams to conduct control assessments
Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations.
It is especially important to hold the LMR system vendor accountable for security and monitoring, especially if the agency is paying for such services. It is better to drop those services and rely on the third-party entity, which almost always is going to have more expertise and better capabilities.
The vendor will push back, but it’s important that agencies are willing to fight the fight and understand that they do have recourse. If an agency is spending millions of dollars annually for security and monitoring services, failing to hold the vendor accountable is nonsensical.
Think of it this way: if a breach occurs, the agency will bear the brunt of the aftermath, not the vendor.
Conclusion
It’s time to bust the myth that LMR systems, especially Project 25 systems, are impervious to cyberattacks. Indeed, they have a great many vulnerabilities that can be exploited. However, numerous mitigation strategies and tactics exist that—when employed in concert—can improve the cybersecurity posture of such systems dramatically.
Nick Falgiatore is a senior technology specialist for Mission Critical Partners (MCP), which provides consulting and managed services to public-safety and justice organizations. Email him at [email protected].
[1] NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
Says a lot for maintaining simpler, TDM based communications systems to your LMR system. The recent tendency toward all IP and all and server based systems, makes them really vulnerable. Such systems often require remote vendor support–via an internet connection–that makes them even more vulnerable. Maybe the solution is to build hardware based radio systems, that dont use PCs or servers and dare I say it–dont use IP connections. That would make them really secure!
This was very insightful. Coming from the dispatch console industry, we have seen increased interest in ways an agency can monitor and verify its security posture, whether that be weekly vulnerability reports, security dashboard overviews, etcetera. Acting on, Don’t Trust; instead, verify is becoming more important than ever.